CVRIA 


Date de reception 


23 / 01/2015 



CVRIA 


Published ID 

C-362/14 

Document number 

13 

Register number 

976996 

Date of lodgment 

03/11/2014 

Date of entry in the register 

03/11/2014 

Type of document 

Observations 


Annexes Part 2 

Lodgment reference 

DC33346 

File number 

3 

Person lodging document 

Julie Vondung (R249125) 

Commission 




Annex 2 


Communication from the Commission to the European Parliament and the Council on "the 
Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in 
the EU", COM(2013) 847, 27.11.2013, referred to in paragraph 29 of the observations. 



49 


EN 




EUROPEAN 

COMMISSION 


Brussels, 27.11.2013 
COM(2013) 847 final 


COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN 
PARLIAMENT AND THE COUNCIL 

on the Functioning of the Safe Harbour from the Perspective of EU Citizens and 

Companies Established in the EU 


EN 


50 


COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN 
PARLIAMENT AND THE COUNCIL 


on the Functioning of the Safe Harbour from the Perspective of EU Citizens and 

Companies Established in the EU 


1. Introduction 

Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the 
processing of personal data and on the free movement of such data (hereinafter “data 
protection Directive”) sets the rules for transfers of personal data from EU Member States to 
other countries outside the EU 1 to the extent such transfers fall within the scope of this 
instrument 2 . 

Under the Directive, the Commission may find that a third country ensures an adequate level 
of protection by reason of its domestic law or of the international commitments it has entered 
into in order to protect rights of individuals in which case the specific limitations on data 
transfers to such a country would not apply. These decisions are commonly referred to as 
"adequacy decisions". 

On 26 July 2000, the Commission adopted Decision 520/2000/EC 3 (hereafter “Safe Harbour 
decision”) recognising the Safe Harbour Privacy Principles and Frequently Asked Questions 
(respectively “the Principles” and “FAQs”), issued by the Department of Commerce of the 
United States, as providing adequate protection for the purposes of personal data transfers 
from the EU. The Safe Harbour decision was taken following an opinion of the Article 29 
Working Party and an opinion of the Article 31 Committee delivered by a qualified majority 
of Member States. In accordance with Council Decision 1999/468 the Safe Harbour Decision 
was subject to prior scrutiny by the European Parliament. 

As a result, the current Safe Harbour decision allows free transfer 4 of personal information 
from EU Member States 3 to companies in the US which have signed up to the Principles in 
circumstances where the transfer would otherwise not meet the EU standards for adequate 
level of data protection given the substantial differences in privacy regimes between the two 
sides of Atlantic. 

The functioning of the current Safe Harbour arrangement relies on commitments and self- 
certification of adhering companies. Signing up to these arrangements is voluntary, but the 
rules are binding for those who sign up. The fundamental principles of such an arrangement 
are: 

a) Transparency of adhering companies' privacy policies, 

b) Incorporation of the Safe Harbour principles in companies' privacy policies, and 


Articles 25 and 26 of the data protection Directive set forth the legal framework for transfers of personal data from the EU to third 
countries outside the EEA. 

Additional rules have been laid down in Article 13 of Framework Decision 2008/977/JHA of 27 November 2008 on the 
protection of personal data processed in the framework of police and judicial cooperation in criminal matters to the extent such 
transfers concern personal data transmitted or made available by one Member State to another Member State, who subsequently 
intends to transfer those data to a third state or international body for the purpose of the prevention, investigation, detection or 
prosecution of criminal offences or the execution of criminal sanctions. 

Commission decision 520/2000/EC of 26 July 2000 pursuant to Directive 95/46 of the European Parliament and of the Council on 
the adequacy of the protection provided by the Safe Harbour Privacy Principles and related FAQs issued by the US Department 
of Commerce in OJ 215 of 28 August 2000, page 7. 

The above does not exclude the application to the data processing of other requirements that may exist under national legislation 
implementing the EU data protection directive. 

Data transfers from the three States Parties to the EEA are similarly affected, following extension of Directive 95/46/EC to the 
EEA Agreement, Decision 38/1999 of 25 June 1999, OJ L 296/41, 23.1 1.2000. 


EN 


2 


EN 



51 


EN 


c) Enforcement, including by public authorities. 

This fundamental basis of the Safe Harbour has to be reviewed in the new context of: 

a) the exponential increase in data flows which used to be ancillary but are now central to 
the rapid growth of the digital economy and the very significant developments in data 
collection, processing and use, 

b) the critical importance of data flows notably for the transatlantic economy, 6 

c) the rapid growth of the number of companies in the US adhering to the Safe Harbour 
scheme which has increased by eight- fold since 2004 (from 400 in 2004 to 3,246 in 
2013), 

d) the information recently released on US surveillance programmes which raises new 
questions on the level of the protection the Safe Harbour arrangement is deemed to 
guarantee. 

Against this backgroimd, this Communication takes stock of the functioning of the Safe 
Harbour scheme. It is based on evidence gathered by the Commission, the work of the EU- 
US Privacy Contact Group in 2009, a Study prepared by an independent contractor in 2008 7 
and information received in the ad hoc EU-U.S Working Group (the “Working Group”) 
established following the revelations on US surveillance programmes (see a parallel 
Document). This Communication follows the two Commission Assessment Reports in the 
start-up period of the Safe Harbour arrangement, respectively in 2002 and 2004 . 

2. Structure and functioning of Safe Harbour 
2.1. Structure of the Safe Harbour 

A US company that wants to adhere to the Safe Harbour must: (a) identify in its publicly 
available privacy policy that it adheres to the Principles and actually does comply with the 
Principles, as well as (b) self-certify i.e., declare to the US Department of Commerce that it is 
in compliance with the Principles. The self-certification must be resubmitted on an annual 
basis. The Safe Harbour Privacy Principles attached in Annex I to the Safe Harbour Decision 
include requirements on both the substantive protection of personal data (data integrity, 
security, choice, and onward transfer principles) and the procedural rights of data subjects 
(notice, access, and enforcement principles). 

As to the enforcement of the Safe Harbour scheme in the US, two US institutions play a major 
role: the US Department of Commerce and the US Federal Trade Commission. 

The Department of Commerce reviews every Safe Harbour self-certification and every 
annual recertification submission that it receives from companies to ensure that they include 


According to some studies, if services and cross-border data flows were to be disrupted as a consequence of discontinuity of 
binding corporate rules, model contract clauses and the Safe Harbour, the negative impact on EU GDP could reach -0,8% to - 
1,3% and EU services exports to the US would drop by -6,7% due to loss of competitiveness. See: “The Economic Importance of 
Getting Data Protection Right”, a study by the European Centre for international Political Economy for the US Chamber of 
Commerce, March 2013. 

Impact Assessment Study prepared for the European Commission in 2008 by the Centre de Recherche lnformatique et Droit 
('CRID') of the University of Namur. 

Commission Staff Working Paper “The application of Commission Decision 520/2000/EC of 26 July 2000 pursuant to Directive 
95/46 of the European Parliament and of the Council on the adequate protection of personal data provided by the Safe Harbour 
Privacy Principles and related FAQs issued by the US Department of Commerce”, SEC (2002) 196, 13.12.2002. 

Commission Staff Working Paper "The implementation of Commission Decision 520/2000/EC on the adequate protection of 
personal data provided by the Safe Harbour Privacy Principles and related FAQs issued by the US Department of Commerce", 
SEC (2004) 1323,20.10.2004. 


3 


EN 



52 


all the elements required to be a member of the scheme 10 . It updates a list of companies which 
have filed self-certification letters and publishes the list and letters on its website. 
Furthermore, it monitors the functioning of Safe Harbour and removes from the list 
companies not complying with the Principles. 

The Federal Trade Commission, within its powers in the field of consumer protection, 
intervenes against unfair or deceptive practices pursuant to Section 5 of the Free Trade 
Commission Act. The Federal Trade Commission's enforcement actions include inquiries on 
false statements of adherence to Safe Harbour and non-compliance with these Principles by 
companies which are members of the scheme. In the specific cases of enforcing the Safe 
Harbour Principles against air carriers, the competent body is the US Department of 
Transportation 1 1 . 

The current Safe Harbour Decision is part of EU law which has to be applied by Member 
State Authorities. Under the Decision, the EU national data protection authorities (DPAs) 
have the right to suspend data transfers to Safe Harbour certified companies in specific 
cases 12 . The Commission is not aware of any cases of suspension by a national data protection 
authority since the establishment of Safe Harbour in 2000. Independently of the powers they 
enjoy under the Safe Harbour Decision, EU national data protection authorities are competent 
to intervene, including in the case of international transfers, in order to ensure compliance 
with the general principles of data protection set forth in the 1995 Data Protection Directive. 

As recalled in the current Safe Harbour Decision, it is the competence of the Commission - 
acting in accordance with the examination procedure set out in Regulation 182/2011 - to 
adapt the Decision, to suspend it or limit its scope at any time, in the light of experience with 
its implementation. This is notably foreseen if there is a systemic failure on the US side, for 
example if a body responsible for ensuring compliance with the Safe Harbour Privacy 
Principles in the United States is not effectively fulfilling its role, or if the level of protection 
provided by the Safe Harbour Principles is overtaken by the requirements of US legislation. 
As with any other Commission decision, it can also be amended for other reasons or even 
revoked. 

2.2. The functioning of the Safe Harbour 

The 3246° certified companies include both small and big companies 14 . While financial 
services and telecommunication industries are outside the Federal Trade Commission 
enforcement powers and therefore excluded from the Safe Harbour, many industry and 
services sectors are present among certified companies, including well known Internet 
companies and industries ranging from information and computer services to pharmaceuticals, 
travel and tourism services, healthcare or credit card services 15 . These are mainly US 
companies that provide services in the EU internal market. There are also subsidiaries of some 


If a company’s certification or recertification fails to meet Safe Harbour requirements, the Department of Commerce notifies the 
company requesting steps to be taken (e.g., clarifications, changes in policy description) before the company’s certification may 
be finalised. 

Under Title 49 of the US Code Section 41712. 

More specifically, suspension of transfers can be required in two situations, where: 

(a) the government body in the US has determined that the company is violating the Safe Harbour Privacy Principles; or 

(b) there is a substantial likelihood that the Safe Harbour Privacy Principles are being violated; there is a reasonable basis for 
believing that the enforcement mechanism concerned is not taking or will not take adequate and timely steps to settle the case at 
issue; the continuing transfer would create an imminent risk of grave harm to data subjects; and the competent authorities in the 
Member State have made reasonable efforts under the circumstances to provide the company with notice and an opportunity to 
respond. 

On 26 September 2013 the number of Safe Harbour organizations listed as “current” on the Safe Harbour List was 3246, as “not 
current” 935. 

Safe Harbour organizations with 250 or less employees: 60% (1925 of 3246). Safe Harbour organizations with 251 or more 
employees: 40% (1295 of 3246). 

For example MasterCard deals with thousands of banks and the company is a clear example of a case where Safe Harbour cannot 
be replaced by other legal instruments for personal data transfers such as binding corporate rules or contractual arrangements. 


EN 


4 


EN 



53 


EU firms such as Nokia or Bayer. 51% are firms that process data of employees in Europe 
transferred to the US for human resource purposes 16 . 

There has been a growing concern among some data protection authorities in the EU about 
data transfers under the current Safe Harbour scheme. Some Member States' data protection 
authorities have criticised the very general formulation of the principles and the high reliance 
on self-certification and self-regulation. Similar concerns have been raised by industry, 
referring to distortions of competition due to a lack of enforcement. 

The current Safe Harbour arrangement is based on the voluntary adherence of companies, on 
self-certification by these adhering companies and on enforcement of the self-certification 
commitments by public authorities. In this context any lack of transparency and any 
shortcomings in enforcement undermine the foundations on which the Safe Harbour scheme 
is constructed. 

Any gap in transparency or in enforcement on the US side results in responsibility being 
shifted to European data protection authorities and to the companies which use the scheme. 
On 29 April 2010 German data protection authorities issued a decision requesting companies 
transferring data from Europe to the US to actively check that companies in the US importing 
data actually comply with Safe Harbour Privacy Principles and recommending that “at least 
the exporting company must determine whether the Safe Harbour certification by the importer 
is still valid” 17 . 

On 24 July 2013, following the revelations on US surveillance programmes, German DPAs 
went a step further expressing concerns that “there is a substantial likelihood that the 
principles in the Commission’s decisions are being violated” 18 . There are cases of some DPAs 
(e.g., Bremen DPA) that have requested a company transferring personal data to US providers 
to inform the DPA on whether and how the concerned providers prevent access by the 
National Security Agency. The Irish DPA has reported that it received two complaints 
recently which reference the Safe Harbour programme following coverage about the US 
Intelligence Agencies programmes but declined to investigate them on the basis that the 
transfer of personal data to a third country met the requirements of Irish data protection law. 
Following a similar complaint, the Luxembourg DPA has found that Microsoft and Skype 
have complied with the Luxembourg Data Protection Act when transferring data to US 19 . 
However, the Irish High Court has since granted an application for judicial review under 
which it will review the inaction of the Irish Data Protection Commissioner in relation to the 
US surveillance programmes. One of the two complaints was filed by a student group Europe 
v Facebook (EvF) which also filed similar complaint against Yahoo in Germany, which is 
being processed by the relevant data protection authorities. 

These divergent responses of data protection authorities to the surveillance revelations 
demonstrate the real risk of the fragmentation of the Safe Harbour scheme and raise questions 
as to the extent to which it is enforced. 


Safe Harbour organizations that cover organization human resources data under their Safe Harbour certification (and thereby have 
agreed to cooperate and comply with the EU data protection authorities): 51 % (1671 of 3246). 

See Diisseldorfer Kreis decision of 28/29 April 2010 . See: Beschluss der obersten Aufsichtsbehbrden fur den Datenschutz im 
nicht-Offentlichen Bereich am 28729. April 2010 in Hannover: 

http.7/www. bfdi.bund.de/SharedDocs/Publikationen/Entscliliessungssammlung/DuesseldorferKreis/290410 SafeHarbor.pdf? bl 
ob=nublicationFile However, the European Data Protection Supervisor (EDPS) Peter Hustinx expressed an opinion at the 
European Parliament LIEBE Committee Inquiry on 7 October 20 13 that “substantial improvements have been made and most 
issues now been settled” as far as Safe Harbour is concerned: 

httns://secure.edDS.europa.eu/EDPSWEB/webdav/site/mvSite/sliared/Documents/EDPS/Publications/Speeches/2013/13-IO- 
07 Speech L1BE PI-1 EN.ndf 

See a resolution of a German Conference of data protection commissioners underlying that intelligence services constitute a 
massive threat to data traffic between Germany and countries outside Europe: 
http:/Avww.bfdi.bund.de/EN/Home/homepage Kurzmeldungen/PMDSK SafeHarbor.html?nn=408870 
See the press statement of Luxemboug DPA on 18 November 2013. 


EN 


5 


EN 



54 


3. Transparency of adhered companies' privacy policies 

Under the FAQ 6 that is annexed to the Safe Harbour Decision (Annex II) companies 
interested in certifying under the Safe Harbour must provide to the Department of Commerce 
and make public their privacy policy. It must include a commitment to adhere to the Privacy 
Principles. The requirement to make publicly available the privacy policies of self-certified 
companies as well as their statement to adhere to the Privacy Principles is critical for the 
operation of the scheme. 

Insufficient accessibility to privacy policies of such companies is to the detriment of 
individuals whose personal data is being collected and processed, and may constitute a 
violation of the principle of notice. In such cases, individuals whose data is being transferred 
from the EU may be unaware of their rights and the obligations to which a self-certified 
company is subjected. 

Moreover, the commitment by companies to comply with the Privacy Principles triggers the 
Federal Trade Commission's powers to enforce these principles against companies in 
cases of non-compliance as an unfair or deceptive practice. Lack of transparency by 
companies in the US renders Federal Trade Commission oversight more difficult and 
undermines the effectiveness of enforcement. 

Over the years a substantial number of self-certified companies had not made their privacy 
policy public and/or had not made a public statement of adherence to the Privacy Principles. 
The 2004 Safe Harbour report pointed to the necessity for the Department of Commerce to 
adopt a more active stance in scrutinising compliance with this requirement. 

Since 2004, the Department of Commerce has developed new information tools aimed at 
helping companies to comply with their transparency obligations. The relevant information on 
the scheme is accessible on the Department of Commerce’s website dedicated to the Safe 
Harbour 20 that also allows companies to upload their privacy policies. The Department of 
Commerce has reported that companies have made use of this feature and posted their privacy 
policies on the Department of Commerce website when applying to join the Safe Harbour. 
In addition, the Department of Commerce published in 2009-2013 a series of guidelines for 
companies wishing to join Safe Harbour, such as a “Guide to Self-Certification” and “Helpful 
Hints on Self-Certifying Compliance” 22 . 

The degree of compliance with the transparency obligations varies amongst companies. 
Whereas certain companies limit themselves to notifying to the Department of Commerce a 
description of their privacy policy as part of the self-certification process, the majority make 
these policies public on their websites, in addition to uploading them on the Department of 
Commerce website. However, these policies are not always presented in a consumer- 
friendly and easily readable form. Hyperlinks to privacy policies do not always function 
properly nor do they always refer to the correct webpages. 

It follows from the Decision and its annexes that the requirement that companies should 
publicly disclose their privacy policies goes beyond mere notification of self-certification to 
the Department of Commerce. The requirements for certification as set out in the FAQs 
include a description of the privacy policy and transparent information on where it is available 
for viewing by the public 23 . Privacy policy statements must be clear and easily accessible by 


http://www.cxport.gov/SafeHarbour/ 
https ://S aleHarbour.export.gov/list.as ox 

The Guide is available on the programme’s website at: http://exnort.gov/SafeHarbour/ Helpful Hints: 
http://export.gov/SafeHarbouiyeu/eg main 018495. asp 

On 12 November 2013 the Department of Commerce has confirmed that “Today, companies that have public websites and cover 
consumer/client/visitor data must include a Safe Harbor-compliant privacy policy on their respective websites” (document: “U.S.- 
EU Cooperation to Implement the Safe Harbor Framework” of 12 Nov. 2013). 


EN 


6 


EN 



55 


the public. They must include a hyperlink to the Department of Commerce Safe Harbour 
website which lists all the ‘current’ members of the scheme and a link to the alternative 
dispute resolution provider. However, a number of companies under the scheme in the period 
2000-2013 failed to comply with these requirements. During working contacts with the 
Commission in February 2013 the Department of Commerce has acknowledged that up to 
1 0% of certified companies may actually not have posted a privacy policy containing the Safe 
Harbour affirmative statement on their respective public websites. 

Recent statistics demonstrate also a persisting problem of false claims of Safe Harbour 
adherence. About 10% of companies claiming membership in the Safe Harbour are not listed 
by the Department of Commerce as current members of the scheme 24 . Such false claims 
originate from both: companies which have never been participants of the Safe Harbour and 
companies which have once joined the scheme but then failed to resubmit their self- 
certification to the Department of Commerce at the yearly intervals. In this case they continue 
to be listed on the Safe Harbour website, but with certification status "not current", meaning 
that the company has been a member of the scheme and thus has an obligation to continue to 
provide protection to data already processed. The Federal Trade Commission is competent to 
intervene in cases of deceptive practices and non-compliance of the Safe Harbour principles 
(see Section 5.1). Unclarity over the "false claims" impacts the credibility of the scheme. 

The European Commission alerted the Department of Commerce through regular contacts in 
2012 and 2013 that, in order to comply with the transparency obligations, it is not sufficient 
for companies to only provide the Department of Commerce with a description of their 
privacy policy. Privacy policy statements must be made publicly available. The Department 
of Commerce was also asked to intensify its periodic controls of companies’ websites 
subsequent to the verification procedure carried out in the context of the first self-certification 
process or its annual renewal and to take action against those companies which do not comply 
with the transparency requirements. 

As a first answer to EU concerns, the Department of Commerce has since March 2013 
made it mandatory for a Safe Harbour company with a public website to make its privacy 
policy for customer/user data readily available on its public website. At the same time, the 
Department of Commerce began notifying all companies whose privacy policy did not 
already include a link to Department of Commerce Safe Harbour website that one should be 
added, making the official Safe Harbour List and website directly accessible to consumers 
visiting a company’s website. This will allow European data subjects to verify immediately, 
without additional searches in the web, a company’s commitments submitted to the 
Department of Commerce. Additionally, the Department of Commerce started notifying 
companies that contact information for their independent dispute resolution provider should 
be included in their posted privacy policy 25 . 

This process needs to be speeded up to ensure that all certified companies fully meet Safe 
Harbour requirements not later than by March 2014 (i.e. by companies’ yearly recertification 
deadline, counting from the introduction of new requirements in March 2013). 


In September 2013 an Australian consultancy Galexia compared Safe Harbour membership "false claims' 1 in 2008 and 2013. Its 
main finding is that, in parallel to the increase of membership in the Safe Harbour between 2008 and 2013 (from 1,109 to 3,246), 
the number of false claims has increased from 206 to 427. http://www.galexia.com/public/about/news/about_news-id225.html 
Between March and September 2013 the Department of Commerce has: 

• Notified the 1 01 companies who had already uploaded their Safe Harbour compliant privacy policy to Safe Harbour website 
that they must also post their privacy policy to their company websites; 

• Notified the 1 54 companies that had not already done so, that they should include a link to Safe Harbour website in their privacy 
policy; 

• Notified more than 600 companies that they should include contact information for their independent dispute resolution provider 
in their privacy policy. 


EN 




56 


Nevertheless, concerns remain as to whether all self-certified companies fully comply with 
the transparency requirements. Compliance with the obligations undertaken at the point of the 
initial self-certification and the annual renewal should be monitored and investigated more 
stringently by the Department of Commerce. 

4. Integration of the Safe Harbour privacy principles in companies' 

PRIVACY POLICIES 

Self-certified companies must comply with the Privacy Principles set out in Annex I to the 
Decision in order to obtain and retain the benefit of the Safe Harbour. 

In the 2004 report, the Commission found that a significant number of companies had not 
correctly incorporated the Safe Harbour Privacy Principles in their data processing 
policies. For example, individuals were not always given clear and transparent information 
about the purposes for which their data were processed or were not given the possibility to opt 
out if their data were to be disclosed to a third party or to be used for a purpose that was 
incompatible with the purposes for which it was originally collected. The 2004 Commission’s 
report considered that the Department of Commerce” should be more proactive with regard 
to access to the Safe Harbour and to awareness of the Principles ” 26 . 

There has been limited progress in that respect. Since 1 January 2009, any company seeking 
to renew its certification status for Safe Harbour - which must be renewed annually - has had 
its privacy policy evaluated by the Department of Commerce prior to the renewal. The 
evaluation is however limited in scope. There is no full evaluation of the actual practice in 
the self-certified companies which would significantly increase the credibility of the self- 
certification process. 

Further to the Commission's requests for a more rigorous and systematic oversight of the self- 
certified companies by the Department of Commerce, more attention is currently applied to 
new submissions. The number of new submissions which have not been accepted, but are 
resent to companies for improvements in privacy policies has significantly increased between 
2010 and 2013: doubled for re-certifying companies and tripled for the Safe Harbour 
newcomers 27 . The Department of Commerce has assured the Commission that any 
certification or recertification can be finalised only if the company’s privacy policy fulfils all 
requirements, notably that it includes an affirmative commitment to adhere to the relevant set 
of Safe Harbour Privacy Principles and that the privacy policy is publicly available. A 
company is required to identify in its Safe Harbour List record the location of the relevant 
policy. It is also required to clearly identify on its website an Alternative Dispute Resolution 
provider and include a link to the Safe Harbour self-certification on the website of the 
Department of Commerce. However, it has been estimated that over 30% of Safe Harbour 
members do not provide dispute resolution information in the privacy policies on their 
websites 28 . 

A majority of the companies that the Department of Commerce has removed from the Safe 
Harbour List were removed at the express request of the relevant companies (e.g., companies 
that had merged or were acquired, had changed their lines of business or had gone out of 
business). A smaller number of records of lapsed companies have been removed when the 


See page 8 of the 2004 Report SEC (2004) 1323. 

According to statistics provided in September 2013 by the Department in Commerce, the DoC notified in 2010 18% (93) of the 
512 first-time certifiers and 16% (231) of the 1,417 recertifiers to make improvements to their privacy policies and/or Safe 
Harbour applications. However, as a follow up to Commission requests for severe, diligent and systematic scrutiny of all 
submissions, through mid-Sep. 2013, DoC notified 56% (340) of the 602 first-time certifiers and 27% (493) of the 1,809 
recertifiers asking them to make improvements to their privacy policies. 

Chris Connolly (Galexia) appearance before the European Parliament LIBE Committee inquiry on 7 Oct. 2013. 


EN 




57 


websites that were listed in the records appeared to be inoperative and the companies’ 
certification status had been “Not current” for several years . Importantly, none of these 
removals seems to have taken place because the Department of Commerce verification led to 
the identification of compliance problems. 

The Safe Harbour List record serves as a public notice and as a record of a company’s Safe 
Harbour commitments. The commitment to adhere to the Safe Harbour Principles is not 
time-limited with respect to data received during the period in which the company enjoys the 
benefit of the Safe Harbour, and the company must continue to apply the Principles to such 
data as long as it stores, uses or discloses them, even if it leaves the Safe Harbour for any 
reason. 

The number of Safe Harbour applicants that did not pass administrative review by the 
Department of Commerce and therefore were never added to the Safe Harbour List is the 
following: In 2010, only 6% (33) of the 513 first-time certifiers were never included in the 
Safe Harbour List because they did not comply with Department of Commerce standards for 
self-certification. In 2013, 12% (75) of the 605 first-time certifiers were never included in the 
Safe Harbour List because they have not complied with Department of Commerce standards 
for self-certification. 

As a minimum requirement to increase the transparency of the oversight, the Department of 
Commerce should list on its website all companies that have been removed from the Safe 
Harbour and indicate reasons for which the certification has not been renewed. The label “Not 
current” on the Department of Commerce list of Safe Harbour member companies should be 
regarded not just as information but should be accompanied by a clear warning - both verbal 
and graphical - that a company is currently not fulfilling Safe Harbour requirements. 

Moreover, some companies still fall short of fully incorporating all Safe Harbour Principles. 
Apart from the issue of transparency addressed in Section 3 above, privacy policies of self- 
certified companies are often unclear as regards the purposes for which data is collected, and 
the right to choose whether or not data can be disclosed to third parties; thereby raising issues 
of compliance with the Privacy Principles of “Notice” and “Choice”. Notice and choice are 
crucial to ensure control from data subjects over what happens to their personal information. 

The critical first step in the compliance process, the incorporation of the Safe Harbour Privacy 
Principles in companies' privacy policies, is not sufficiently ensured. The Department of 
Commerce should address it as a matter of priority by developing a methodology of 
compliance in the operational practice of companies and their interaction with clients. There 
must be an active follow up by the Department of Commerce on effective incorporation 
of the Safe Harbour principles in companies' privacy policies, rather than leaving 
enforcement action only to be triggered by complaints of individuals. 

5. Enforcement by public authorities 

A number of mechanisms are available to ensure effective enforcement of the Safe Harbour 
scheme and to offer recourse for individuals in cases where the protection of their personal 
information is affected by non-compliance with the Privacy Principles. 

According to the “Enforcement” Principle, privacy policies of self-certified organizations 
must include effective compliance mechanisms. Pursuant to the “Enforcement” Privacy 
Principle as further clarified by FAQ 11, FAQ 5 and FAQ 6, this requirement can be met by 


As of December 2011, the US Department of Commerce had removed 323 companies from the Safe Harbour List: 94 companies 
were removed because they were no longer in business; 88 companies due to acquisition or merger, 95 at the requests of the 
parent company; 41 companies because repeated failure to ask for recertification and 5 companies for miscellaneous reasons. 



EN 



58 


adhering to independent recourse mechanisms that have publicly stated their competence to 
hear individual complaints for failure to abide by the Principles. Alternatively, this can be 
achieved through the organization’s commitment to cooperate with the EU Data Protection 
PaneF 0 . Moreover self-certified companies are subject to the jurisdiction of the Federal Trade 
Commission under Section 5 of the Federal Trade Commission Act which prohibits unfair or 
deceptive acts or practices in or affecting commerce 31 . 

The 2004 Report expressed concerns as regards the enforcement of the Safe Harbour scheme, 
namely that the Federal Trade Commission should be more proactive in launching 
investigations and raising awareness of individuals about their rights. Another area of 
concern was the lack of clarity in relation to the Federal Trade Commission's competence to 
enforce the Principles regarding human resources data. 

The recourse body responsible for human resources data - the EU Data Protection Panel - has 
received one complaint concerning human resources data 32 . However, the absence of 
complaints does not allow conclusions to be drawn as to the full functioning of the scheme. 
Ex-officio checks of companies’ compliance should be introduced to verify the actual 
implementation of data protection commitments. EU Data Protection Authorities should also 
undertake actions in order to raise awareness of the existence of the Panel. 

Problems have been highlighted in relation to the way in which alternative recourse 
mechanisms function as enforcement bodies. A number of these bodies lack appropriate 
means to remedy cases of failure to comply with the Principles. This shortcoming needs to be 
addressed. 


5.1. Federal Trade Commission 

The Federal Trade Commission can take enforcement measures in case of violations of the 
Safe Harbour commitments that companies make. When Safe Harbour was established, the 
Federal Trade Commission committed to review on a priority basis all referrals from EU 
Member State authorities 33 . Since no complaints were received for the first ten years of the 
arrangement, the Federal Trade Commission decided to seek to identify any Safe Harbour 
violations in every privacy and data security investigation it conducts. Since 2009, the Federal 
Trade Commission has brought 10 enforcement actions against companies based on Safe 
Harbour violations. These actions notably resulted in settlement orders - subject to substantial 
penalties - prohibiting privacy misrepresentations, including of compliance with the Safe 
Harbour, and imposing on companies’ comprehensive privacy programmes and audits for 20 
years. The companies must accept independent assessments of their privacy programmes on 
the request of the Federal Trade Commission. These assessments are reported regularly to the 
Federal Trade Commission. The Federal Trade Commission's orders also prohibit these 
companies from misrepresenting their privacy practices and their participation in Safe 
Harbour or similar privacy schemes. This was the case for example in the Federal Trade 


The EU Data Protection Pane! is a body competent for investigating and resolving complaints lodged by individuals for alleged 
infringement of the Safe Harbour Principles by an US company member of the Safe Harbour. Companies that certify to the Safe 
Harbour Principles must choose to comply with independent recourse mechanism or to cooperate with the EU Data Protection 
Panel in order to remedy problems arising out of failure to comply with Safe Harbour Principles. Cooperation with the EU Data 
Protection Panel is nonetheless mandatory when the US company processes human resources personal data transferred from the 
EU in the context of an employment relationship. If the company commits itself to cooperate with the EU panel, it must also 
commit itself to comply with any advice given by the EU panel where it takes the view that the company needs to take specific 
action to comply with the Safe Harbour Principles, including remedial or compensatory measures. 

The Department of Transportation exercises similar jurisdictions over air carriers under Title 49 United States Code Section 
41712. 

The complaint originated from a Swiss citizen and therefore has been referred by the EU Data Protection Panel to the Swiss data 
protection authority (US has a separate Safe Harbour scheme for Switzerland). 

See Annex V to the Commission Decision 2000/520/EC of 26 July 2000. 


EN 


10 


EN 



59 


EN 


Commission investigations against Google, Facebook and Myspace. 34 In 2012 Google agreed 
to pay a $22.5 million fine to settle allegations that it violated a consent order. In all privacy 
investigations the Federal Trade Commission ex officio examines whether there is Safe 
Harbour violation. 

The Federal Trade Commission has reiterated recently its declarations and commitment to 
reviewing, on a priority basis, any referrals received from privacy self-regulatory companies 
and EU Member States that allege a company’s non-compliance with Safe Harbour 
Principles. 35 The Federal Trade Commission has received only a few referrals from European 
data protection authorities over the past three years. 

Transatlantic cooperation between data protection authorities started to develop in recent 
months. For example the Federal Trade Commission signed on 26 June 2013 with the Office 
of the Data Protection Commissioner of Ireland a Memorandum of Understanding on mutual 
assistance in the enforcement of laws protecting personal information in the private sector. 
The memorandum establishes a framework for increased, more streamlined, and more 
effective privacy enforcement cooperation 36 . 

In August 2013, the Federal Trade Commission announced a further reinforcement of the 
checks on companies with control over large databases of personal information. It has also 
created a portal where consumers can file a privacy complaint regarding a US company 37 . 

The Federal Trade Commission should also increase efforts to investigate false claims of Safe 
Harbour adherence. A company claiming on its website that it complies with the Safe Harbour 
requirements, but is not listed by the Department of Commerce as a ‘current’ member of the 
scheme, is misleading consumers and abusing their trust. False claims weaken the credibility 
of the system as a whole and therefore should be immediately removed from the companies’ 
websites. The companies should be bound by an enforceable requirement not to mislead 
consumers. The Federal Trade Commission should continue seeking to identify Safe Harbour 
false claims as the one in the Karnani case, where the Federal Trade Commission shut down a 
California website for claiming a false Safe Harbour registration, and engaging in fraudulent 
e-commerce practices targeted at European consumers 38 . 

On 29 October 2013 the Federal Trade Commission announced that it had opened “numerous 
investigations into Safe Harbor compliance in recent months” and that more enforcement 
actions on this front can be expected “in the coming months”. The Federal Trade Commission 
confirmed also that it is "committed to looking for ways to improve its efficacy" and would 
“continue to welcome any substantive leads, such as the complaint received in the past month 
from a European-based consumer advocate alleging a large number of Safe Harbor-related 
violations”. 39 The agency committed also to “systematically monitor compliance with Safe 
Harbor orders, as we do with all our orders” 40 . 


34 Over the period 2009-2012 Federal Trade Commission has completed ten enforcement actions of Safe Harbour commitments: 

FTC v. Javian Karnani, and Balls of Kryptonite, LLC (2009), World Innovators, Inc. (2009), Expat Edge Partners, LLC (2009), 
Onyx Graphics, Inc. (2009), Directors Desk LLC (2009), Progressive Gaitways LLC (2009), CoIIectify LLC (2009), Google Inc. 
(2011), Facebook, Inc. (2011), Myspace LLC (2012). See: “Federal Trade Commission of Safe Harbour Commitments”: 
http://export.gOv/buiid/groups/public/@eg_main/@SafeHarbour/documents/webcontent/eg_main_05221 1. pdf See also: “Case 
Highlights”: http://business.ftc.gov/us-eu-Safe-Harbour-framework. Most of these cases involved problems with companies that 
joined Safe Harbour but then continued to represent themselves as members without renewing the annual certification. 

This commitment has been reiterated at a meeting of Federal Trade Commission Commissioner Julie Brill with EU Data 
protection Authorities (Article 29 Working Party) in Brussels on 17 April 2013. 

36 http://www.dataprotection.ie/viewdoc.asp?Docid=1317&Catid=66&StartDate=l+January+2013&m=n 

Consumers can file their complaints via the Federal Trade Commission Complaint Assistant 

( litins://www.flccomplaintassistant.sov/) and international consumers may file complaints via econsumer.gov 
(http://www.econsumer.gov). 

3 * http://www.ftc.gov/os/caselist/092308 1/090806kamanicmpt.pdf 

39 http://www.fte.gov/sneeches/brill/131029europeaninstituteremarks.ndf and 

http://www.ftc.gov/speeches/ramire2/13 1029tacdremarks.pdf 

Letter of the Federal Trade Commission Chairwoman Edith Ramirez to Vice-President Viviane Reding. 


11 


EN 



60 


On 12 November 2013, the Federal Trade Commission informed the European Commission 
that “if a company’s privacy policy promises Safe Harbor protections, that company’s 
failure to make or maintain a registration, is not, by itself, likely to excuse that company 
from FTC enforcement of those Safe Harbor commitments” 41 . 

In November 2013, the Department of Commerce informed the European Commission that 
“to help ensure that companies do not make ‘false claims’ of participation in Safe Harbor, the 
Department of Commerce will begin a process of contacting Safe Harbor participants one 
month prior to their recertification date to describe the steps they must follow should they 
chose not to recertify”. The Department of Commerce “will warn companies in this 
category to remove all references to Safe Harbor participation, including use of Commerce’s 
Safe Harbor certification mark, from the companies’ privacy policies and websites, and 
notify them clearly that failure to do so could subject the companies to FTC enforcement 
actions” 42 . 

To combat false claims of Safe Harbour adherence, privacy policies of self-certified 
companies’ websites should always include a link to the Department of Commerce Safe 
Harbour website where all the ‘current’ members of the scheme are listed. This will allow 
European data subjects to verify immediately, without additional searches whether a company 
is currently a member of the Safe Harbour. The Department of Commerce has started in 
March 2013 to request this from companies, but the process should be intensified. 

The continuous monitoring and consequent enforcement by the Federal Trade Co mm ission of 
actual compliance with the Safe Harbour Principles - in addition to the measures taken by the 
Department of Commerce as highlighted above - remains a key priority for ensuring proper 
and effective functioning of the scheme. It is necessary in particular to increase ex-officio 
checks and investigations of companies’ compliance to the Safe Harbour principles. 
Complaints to the Federal Trade Commission relating violations should also be further 
facilitated. 


5.2. EU Data Protection Panel 

The EU Data Protection Panel is a body created under the Safe Harbour Decision. It is 
competent to investigate complaints lodged by individuals referring to personal data collected 
in the context of the employment relationship as well as cases relating to certified companies 
which have chosen this option for dispute resolution under the Safe Harbour (53% of all 
companies). It is composed of representatives of various EU data protection authorities. 

To date, the Panel received four complaints (two in 2010 and two in 2013). It referred two 
complaints in 2010 to national data protection authorities (UK and Switzerland). The third 
and the fourth complaints are currently under examination. The low level of complaints can 
be explained by the fact that the powers of Panel are, as mentioned above, primarily limited to 
certain type of data. 

The Panel's limited caseload could be also partly explained by the lack of awareness about the 
existence of the Panel. The Commission has, since 2004, made the information about the 
Panel more visible on its website 43 . 


41 Letter of the Federal Trade Commission Chairwoman Edith Ramirez to Vice-President Viviane Reding. 

42 “U.S.-EU Cooperation to Implement the Safe Harbor Framework”, 12 November 2013. 

43 Pursuant to the 2004 report, an Information Notice in the form of Q&A of the EU Data Protection Panel has been published on 
the Commission's website (DO Justice) with the purpose of raising awareness of individuals and help them to file a complaint 
when they believe that their personal data has been processed in violation of the Safe Harbour: 
httn://ec.eurona.eu/iustice/nolicies/Drivacv/docs/adeauacv/informaiion Safe harbour en.pdf 

The standard complaint form is available at httD://ec.eurona.eii/iustice/nolicies/privacv/docs/adeouacv/ complaint form en.pdf 

EN 




61 


EN 


To make a better use of the Panel, companies in the US which have chosen to cooperate with 
it and comply with its decisions, for some or all categories of personal data covered in their 
respective self-certifications, should clearly and prominently indicate it in their privacy 
policies commitments to allow the Department of Commerce to scrutinise this aspect. A 
dedicated page should be created on each EU data protection authority's website regarding 
Safe Harbour to raise Safe Harbour awareness with European companies and data subjects. 


5.3. Improvement of enforcement 

The weaknesses in transparency and weaknesses in enforcement that have been identified 
above, lead to concerns among European companies as regards the negative impact of the 
Safe Harbour scheme on European companies' competitiveness. Where a European company 
competes with a US company operating under Safe Harbour, but in practice not applying its 
principles, the European company is at a competitive disadvantage in relation to that US 
company. 

Furthermore, the Federal Trade Commission's jurisdiction extends to unfair or deceptive 
acts or practices "in or affecting commerce". Section 5 of the Federal Trade Commission 
Act established exceptions to the Federal Trade Commission's authority over unfair or 
deceptive acts or practices with respect inter alia to telecommunications. Being outside 
Federal Trade Commission enforcement, telecom companies are not allowed to adhere to 
the Safe Harbour. However, with the growing convergence of technologies and services, 
many of their direct competitors in the US ICT sector are members of Safe Harbour. The 
exclusion of telecom companies from the data exchanges under the Safe Harbour scheme is 
a matter of concern to some European telecom operators. According to the European 
Telecommunications Network Operators’ Association (ETNO) “this is in clear conflict to 
the most important plea of telecommunication operators regarding the need for a level 
playing field” 44 . 

6. Strengthening the Safe Harbour Privacy Principles 

6.1. Alternative Dispute Resolutions 

The enforcement principle requires that there must be “readily available and affordable 
recourse mechanisms by which each individual’s complaints and disputes are investigated”. 
To that end the Safe Harbour scheme establishes a system of Alternative Dispute Resolution 
(ADR) by an independent third party 45 to provide individuals with rapid solutions. The three 
top recourse mechanisms bodies are the EU Data Protection Panel, BBB (Better Business 
Bureaus) and TRUSTe. 


“ETNO considerations” received by Commission services on 4 October 2013 discuss also 1) definition of personal data in Safe 
Harbour, 2) lack of monitoring of the Safe Harbour, 3) and the fact that “US companies can transfer data with much less 
restrictions than their European counterparts” which “constitutes a clear discrimination of European companies and is affecting 
the competitiveness of European companies”. Under the Safe Harbour rules, to disclose information to a third party, 
organizations must apply the Notice and Choice Principles. Where an organization wishes to transfer information to a third party 
that is acting as an agent, it may do so if it first either ascertains that the third party subscribes to the Principles or is subject to the 
Directive or another adequacy finding or enters into a written agreement with such third party requiring that the third party 
provide at least the same level of privacy protection as is required by the relevant Principles. 

The EU Directive 2013/1 1/EU on consumer ADR underlines the importance of independent, impartial, transparent effective, fast 
and fair alternative dispute resolution procedures. 


EN 


13 



62 


EN 



0 500 1000 1500 2000 


IRMs 


saDPAs 

aTRUSTe 

saBBB 

■ AAA/ICDR 
® JAMS 

■ DMA 

■ Privacy Trust 


The use of ADR has increased since 2004 and the Department of Commerce has strengthened 
the monitoring of American ADR providers to make sure that the information they offer about 
the complaint procedure is clear, accessible and understandable. However, the effectiveness 
of this system is yet to be proven due to the limited number of cases dealt with so far 46 . 

Though the Department of Commerce has been successful is reducing the fees charged by the 
ADRs, two out of seven major ADR providers continue to charge fees from individuals who 
file a complaint 47 . This represents the ADR providers used by about 20% of Safe Harbour 
companies. These companies have selected an ADR provider that charges a fee to consumers 
for filing a complaint. Such practices do not comply with the Enforcement Principle of Safe 
Harbour which gives individuals the right of access to a “readily available and affordable 
independent recourse mechanisms”. In the European Union, access to an independent dispute 
resolution service provided by the EU Data Protection Panel is free for all data subjects. 

On 12 November 2013 the Department of Commerce confirmed that it "will continue to 
advocate on behalf of EU citizens' privacy and work with ADR providers to determine 
whether their fees can be lowered further". 

In relation to sanctions, not all ADR providers possess the necessary tools to remedy 
situations of failure to abide by the Privacy Principles. Moreover, the publication of findings 


For example, one major service provider ("TRUSTe") reported that it received 881 requests in 2010, but that only three of them 
were considered admissible, and grounded, and led to the company concerned being required to change its privacy policy and 
website. In 2011, the number of complaints was 879, and in one case the company was required to change its privacy policy. 
According to the DoC, vast majority of the complaints to ADR are requests from consumers, for example users who have 
forgotten their password and were unable to obtain it from the internet service. Following Commission requests, the Department 
of Commerce developed new statistics reporting criteria to be used by all ADR. They distinguish between mere requests and 
complaints and they provide with further clarification of types of complaints received. These new criteria need however to be 
further discussed to make sure that new statistics in 2014 concern all ADR providers, are comparable and provide critical 
information to assess the effectiveness of the recourse mechanism. 

International Centre for Dispute Resolution / American Arbitration Association (ICDR/AAA), charges $ 200 and JAMS $ 250 
“filing fee”. The Department of Commerce informed the Commission that it had worked with the AAA, the most costly dispute 
resolution provider for individuals, to develop a Safe Harbour-specific program which reduced the cost to consumers from several 
thousands of dollars to a flat rate of $ 200. 


EN 


14 




63 


of non-compliance does not seem to be foreseen amongst the range of sanctions and measures 
of all ADR service providers. 

ADR providers are also required to refer cases to the Federal Trade Commission where a 
company fails to comply with the outcome of the ADR process, or rejects the ADR provider's 
decision, so that the Federal Trade Commission can review and investigate and, if 
appropriate, take enforcement measures. However, to date, there have been no cases of 
referral from ADR providers to the Federal Trade Commission for non-compliance 48 . 

Alternative dispute resolution service providers maintain on their Websites lists of companies 
(Dispute Resolution Participants) which use their services. This allows consumers to easily 
verify if - in case of dispute with a company - an individual can submit a complaint to an 
identified dispute resolution provider. Thus, for example the BBB dispute resolution provider 
lists all companies which are under the BBB dispute resolution system. However, there are 
numerous companies claiming to be under a specific dispute resolution system but not listed 
by the ADR service providers as participants of their dispute resolution scheme 49 . 

ADR mechanisms should be easily accessible, independent and affordable for individuals. A 
data subject should be able to file a complaint without any excessive constraints. All ADR 
bodies should publish on their websites statistics about the complaints handled as well as 
specific information about their outcome. Finally, the ADR bodies should be further 
monitored to make sure that information they provide about the procedure and how to lodge a 
complaint is clear and understandable, so that the dispute resolution becomes an effective, 
trusted mechanism providing results. It should also be reiterated that publication of findings 
of non-compliance should be included within the range of mandatory sanctions of ADRs. 

6.2. Onward transfer 

With the exponential growth of data flows there is a need to ensure the continued protection 
of personal data at all stages of data processing, notably when data is transferred by a 
company adhering to the Safe Harbour to a third party processor. Therefore, the need for the 
better enforcement of the Safe Harbour concerns not only Safe Harbour members but also 
subcontractors. 

The Safe Harbour scheme allows onward transfers to third parties acting as “agents” if the 
company - member of the Safe Harbour scheme - “ascertains that the third party subscribes 
to the Principles or is subject to the Directive or another adequacy finding or enters into a 
written agreement with such third party requiring that the third party provide at least the same 
level of privacy protection as is required by the Privacy Principles” 50 . For example, a cloud 
service provider is required by the Department of Commerce to enter into a contract even if it 
is “Safe Harbour-compliant” and it receives personal data for processing 51 . However, this 
provision is not clear in Annex II to the Safe Harbour Decision. 

As the recourse to subcontractors has increased considerably over the past years, in particular 
in the context of cloud-computing, when entering such a contract, a Safe Harbour company 


See FAQ 11. 

Examples: Amazon has informed the DoC that it uses the BBB as its dispute resolution provider. However the BBB does not list 
Amazon among its dispute resolution participants. Vice versa, Arsalon Technologies (www.arsalon.net), a cloud hosting service 
provider, appears on the BBB Safe Harbour dispute resolution list but the company is not a current member of the Safe Harbour 
(situation as of 1 October 2013). BBB, TRUSTe and other ADR service providers should remove or correct the certification 
claims. They should be bound by an enforceable requirement to only certify companies who are members of the Safe Harbour. 

See Commission Decision 2000/520/EC page 7 (onward transfer). 

See: "Clarifications Regarding the U.S.-EU Safe Harbor Framework and Cloud Computing”: 

httn://e\oort.2ov/static/Safe%201-lai'bor%20and%20Cloud%20Commiting%20Clarification Anril%2012%202013 Latest eg ina 
in 06035l.pdf 


EN 


15 


EN 



64 


should notify the Department of Commerce and be obliged to make public the privacy 
safeguards 52 . 

The three above mentioned issues: the alternative dispute resolution mechanism, reinforced 
oversight and onward transfers of data should be further clarified. 

7. Access to data transferred in the framework of the Safe Harbour 

SCHEME 

In the course of 2013, information on the scale and scope of US surveillance programmes has 
raised concerns over the continuity of protection of personal data lawfully transferred to the 
US under the Safe Harbour scheme. For instance, all companies involved in the PRISM 
programme, and which grant access to US authorities to data stored and processed in the US, 
appear to be Safe Harbour certified. This has made the Safe Harbour scheme one of the 
conduits through which access is given to US intelligence authorities to collecting personal 
data initially processed in the EU. 

The Safe Harbour Decision provides, in Annex 1, that adherence to the Privacy Principles 
may be limited, if justified by national security, public interest, or law enforcement 
requirements or by statute, government regulation or case-law. In order for limitations and 
restrictions on the enjoyment of fundamental rights to be valid, they must be narrowly 
construed; they must be set forth in a publicly accessible law and they must be necessary and 
proportionate in a democratic society. In particular, the Safe Harbour Decision specifies that 
such limitations are allowed only “to the extent necessary” to meet national security, public 
interest, or law enforcement requirements 53 . While the exceptional processing of data for the 
purposes of national security, public interest or law enforcement is provided under the Safe 
Harbour scheme, the large scale access by intelligence agencies to data transferred to the US 
in the context of commercial transactions was not foreseeable at the time of adopting the Safe 
Harbour. 

Moreover, for reasons of transparency and legal certainty, the European Commission should 
be notified by the Department of Commerce of any statute or government regulations that 
would affect adherence to the Safe Harbour Privacy Principles 54 . The use of exceptions 
should be carefully monitored and the exceptions must not be used in a way that undermines 
the protection afforded by the Principles 55 . In particular, large scale access by US authorities 
to data processed by Safe Harbour self-certified companies risks undermining the 
confidentiality of electronic communications. 


These remarks concern cloud providers which are not in the Safe Harbour. According to Galexia consultancy firm, “the level of 
Safe Harbour membership (and compliance) amongst cloud service providers is quite high. Cloud service providers typically have 
multiple layers of privacy protection, often combining direct contracts with clients and over-arching privacy policies. With one or 
two important exceptions, cloud service providers in the Safe Harbour are compliant with the key provisions relating to dispute 
resolution and enforcement. There are no major cloud service providers in the list of false membership claims at this time.” 
(appearance of Chris Connolly from Galexia before the L1BE Committee inquiry on “Electronic mass surveillance of EU 
citizens”). 

See Annex 1 of the Safe Harbour Decision: “Adherence to these Principles may be limited: (a) to the extent necessary to meet 
national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that create 
conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can 
demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate 
interests furthered by such authorization; or (c) if the effect of the Directive of Member State law is to allow exceptions or 
derogations, provided such exceptions or derogations are applied in comparable contexts. Consistent with the goal of enhancing 
privacy protection, organizations should strive to implement these Principles fully and transparently, including indicating in their 
privacy policies where exceptions to the Principles permitted by (b) above will apply on a regular basis. For the same reason, 
where the option is allowable under the Principles and/or U.S. law, organizations are expected to opt for the higher protection 
where possible.” 

Opinion 4/2000 on the level of protection provided by the “Safe Harbour Principles”, adopted by Article 29 Data Protection 
Working Party on 16 May 2000. 

Opinion 4/2000 on the level of protection provided by the “Safe Harbour Principles”, adopted by Article 29 Data Protection 
Working Party on 16 May 2000. 



EN 



65 


7.1. Proportionality and necessity 

As results from the findings of the ad hoc EU-US Working Group on data protection, a 
number of legal bases under US law allow large-scale collection and processing of personal 
data that is stored or otherwise processed companies based in the US. This may include data 
previously transferred from the EU to the US under the Safe Harbour scheme, and it raises the 
question of continued compliance with the Safe Harbour principles. The large scale nature of 
these programmes may result in data transferred under Safe Harbour being accessed and 
further processed by US authorities beyond what is strictly necessary and proportionate to the 
protection of national security as foreseen under the exception provided in the Safe Harbour 
Decision. 


7.2. Limitations and redress possibilities 

As results from the findings of the ad hoc EU-US Working Group on data protection, 
safeguards that are provided under US law are mostly available to US citizens or legal 
residents. Moreover, there are no opportunities for either EU or US data subjects to obtain 
access, rectification or erasure of data, or administrative or judicial redress with regard to 
collection and further processing of their personal data taking place under the US surveillance 
programmes. 

7.3. Transparency 

Companies do not systematically indicate in their privacy policies when they apply exceptions 
to the Principles. The individuals and companies are thus not aware of what is being done 
with their data. This is particularly relevant in relation with the operation of the US 
surveillance programmes in question. As a result, Europeans whose data are transferred to a 
company in the US under Safe Harbour may not be made aware by those companies that their 
data may be subject to access 56 . This raises the question of compliance with the Safe Harbour 
principles on transparency. Transparency should be ensured to the greatest extent possible 
without jeopardising national security. In addition to existing requirements on companies to 
indicate in their privacy policies where the Principles may be limited by statute, government 
regulation or case law, companies should also be encouraged to indicate in their privacy 
policies when they apply exceptions to the Principles to meet national security, public interest 
or law enforcement requirements. 

8. Conclusions and recommendations 

Since its adoption in 2000, Safe Harbour has become a vehicle for EU-US flows of personal 
data. The importance of efficient protection in case of transfers of personal data has increased 
due to the exponential increase in data flows central to the digital economy and the very 
significant developments in data collection, processing and use. Web companies such as 
Google, Facebook, Microsoft, Apple, Yahoo have hundreds of millions of clients in Europe 
and transfer personal data for processing to the US on a scale inconceivable in the year 2000 
when the Safe Harbour was created. 


Relatively transparent information in this respect is provided by some European companies in Safe Harbour. For example Nokia, 
which has operations in the US and is a Safe Harbour member provides a following notice in its privacy policy: "We may be 
obligated by mandatory law to disclose your personal data to certain authorities or other third parties, for example, to law 
en forcement agencies in the countries where we or third parties acting on our behalf operate. " 


EN 


17 


EN 



66 


Due to deficiencies in transparency and enforcement of the arrangement, specific problems 
still persist and should be addressed: 

a) transparency of privacy policies of Safe Harbour members, 

b) effective application of Privacy Principles by companies in the US, and 

c) effectiveness of the enforcement. 

Furthermore, the large scale access by intelligence agencies to data transferred to the US 
by Safe Harbour certified companies raises additional serious questions regarding the 
continuity of data protection rights of Europeans when their data in transferred to the US. 

On the basis of the above, the Commission has identified the following recommendations: 


Transparency 

1. Self-certified companies should publicly disclose their privacy policies. It is not 
sufficient for companies to provide the Department of Commerce with a description 
of their privacy policy. Privacy policies should be made publicly available on the 
companies' websites, in clear and conspicuous language. 

2. Privacy policies of self-certified companies ’ websites should always include a link to 
the Department of Commerce Safe Harbour website which lists all the ‘current’ 
members of the scheme. This will allow European data subjects to verify immediately, 
without additional searches whether a company is currently a member of the Safe 
Harbour. This would help increase the credibility of the scheme by reducing the 
possibilities for false claims of adherence to the Safe Harbour. The Department of 
Commerce has started in March 2013 to request this from companies, but the process 
should be intensified. 

3. Self-certified companies should publish privacy conditions of any contracts they 
conclude with subcontractors, e.g. cloud computing services. Safe Harbour allows 
onward transfers from Safe Harbour self-certified companies to third parties acting as 
“agents”, for example to cloud service providers. According to our understanding, in 
such cases the Department of Commerce requires from self-certified companies to 
enter into a contract. However, when entering such a contract, a Safe Harbour 
company should also notify the Department of Commerce and be obliged to make 
public the privacy safeguards. 

4. Clearly flag on the website of the Department of Commerce all companies which are 
not current members of the scheme. The label “Not current” on the Department of 
Commerce list of Safe Harbour members should be accompanied by a clear warning 
that a company is currently not fulfilling Safe Harbour requirements. However, in the 
case of "Not current" the company is obliged to continue to apply the Safe Harbour 
requirements for the data that has been received under Safe Harbour. 

Redress 

5. The privacy policies on companies’ websites should include a link to the alternative 
dispute resolution (ADR) provider and/or EU panel. This will allow European data 
subjects to contact immediately the ADR or EU panel in case of problems. 
Department of Commerce has started in March 2013 to request this from companies, 
but the process should be intensified. 



EN 



67 


6. ADR should be readily available and affordable. Some ADR bodies in the Safe 

Harbour scheme continue to charge fees from individuals - which can be quite costly 
for an individual user - for the handling of the complaint ($ 200-250). By contrast, in 
Europe access to the Data Protection Panel foreseen for solving complaints under the 
Safe Harbour, is free. 

7. Department of Commerce should monitor more systematically ADR providers 
regarding the transparency and accessibility of information they provide concerning 
the procedure they use and the follow-up they give to complaints. This makes the 
dispute resolution an effective, trusted mechanism providing results. It should also be 
reiterated that publication of findings of non-compliance should be included within 
the range of mandatory sanctions of ADRs. 

Enforcement 

8. Following the certification or recertification of companies under the Safe Harbour, a 
certain percentage of these companies should be subject to ex officio investigations of 
effective compliance of their privacy policies (going beyond control of compliance 
with formal requirements) . 

9. Whenever there has been a finding of non-compliance, following a complaint or an 
investigation, the company should be subject to follow-up specific investigation after 
1 year. 

10. In case of doubts about a company's compliance or pending complaints, the 
Department of Commerce should inform the competent EU data protection authority. 

1 1 . False claims of Safe Harbour adherence should continue to be investigated. A 
company claiming on its website that it complies with the Safe Harbour requirements, 
but is not listed by the Department of Commerce as a ‘current’ member of the 
scheme, is misleading consumers and abusing their trust. False claims weaken the 
credibility of the system as a whole and therefore should be immediately removed 
from the companies’ websites. 

Access by US authorities 

12. Privacy policies of self-certified companies should include information on the extent 
to which US law allows public authorities to collect and process data transferred 
under the Safe Harbour. In particular companies should be encouraged to indicate in 
their privacy policies when they apply exceptions to the Principles to meet national 
security, public interest or law enforcement requirements. 

13. It is important that the national security exception foreseen by the Safe Harbour 
Decision is used only to an extent that is strictly necessary or proportionate. 



EN 



